[Owncloud] Question about security
Frank Karlitschek
karlitschek at kde.org
Thu Aug 12 18:27:49 UTC 2010
On 11.08.2010, at 00:02, Pauleman (DerPaul) wrote:
> Hello all,
>
> just for fun I tested to download a file directly from the data location
> of owncloud. I was surprised that there was no protection of the data
> directory and also of the backup directory. Is there any idea to prevent
> the direct access?
>
> Regards
>
> Pauleman
Hi,
I think this is a very good point.
Having an unprotected document directory in your webdirectory is a bad idea.
I think we need some fancy logic for this problem.
ownCloud should check if the current document directory is in the documentroot and accessibly from the internet. If no -> no problem. If yes try to automatically put a .htaccess in the directory and check with a fopen http request if access is still possible. If no -> problem solved. If yes -> big security problem and do nothing till the user fixes this security hole.
Cheers
Frank
--
Frank Karlitschek
karlitschek at kde.org
More information about the Owncloud
mailing list